SecureArray: improving wifi security with fine-grained physical-layer information

Despite the important role that WiFi networks play in home and enterprise networks they are relatively weak from a security standpoint. With easily available directional antennas, attackers can be physically located off-site, yet compromise WiFi security protocols such as WEP, WPA, and even to some extent WPA2 through a range of exploits specific to those protocols, or simply by running dictionary and human-factors attacks on users' poorly-chosen passwords. This presents a security risk to the entire home or enterprise network. To mitigate this ongoing problem, we propose SecureArray, a system designed to operate alongside existing wireless security protocols, adding defense in depth against active attacks. SecureArray's novel signal processing techniques leverage multi-antenna access point (AP) to profile the directions at which a client's signals arrive, using this angle-of-arrival (AoA) information to construct highly sensitive signatures that with very high probability uniquely identify each client. Upon overhearing a suspicious transmission, the client and AP initiate an AoA signature-based challenge-response protocol to confirm and mitigate the threat. We also discuss how SecureArray can mitigate direct denial-of-service attacks on the latest 802.11 wireless security protocol. We have implemented SecureArray with an eight-antenna WARP hardware radio acting as the AP. Our experimental results show that in a busy office environment, SecureArray is orders of magnitude more accurate than current techniques, mitigating 100% of WiFi spoofing attack attempts while at the same time triggering false alarms on just 0.6% of legitimate traffic. Detection rate remains high when the attacker is located only five centimeters away from the legitimate client, for AP with fewer numbers of antennas and when client is mobile.

[1]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[2]  Erik Tews,et al.  Practical attacks against WEP and WPA , 2009, WiSec '09.

[3]  Yong Sheng,et al.  Detecting 802.11 MAC Layer Spoofing Using Received Signal Strength , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[4]  Xiang-Yang Li,et al.  Rejecting the attack: Source authentication for Wi-Fi management frames using CSI Information , 2012, 2013 Proceedings IEEE INFOCOM.

[5]  David R. Cheriton,et al.  Detecting identity-based attacks in wireless networks using signalprints , 2006, WiSe '06.

[6]  Wei Wang,et al.  SAM: enabling practical spatial multiple access in wireless LAN , 2009, MobiCom '09.

[7]  Sneha Kumar Kasera,et al.  On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews , 2010, IEEE Transactions on Mobile Computing.

[8]  Stig Fr. Mjølsnes,et al.  A formal analysis of IEEE 802.11w deadlock vulnerabilities , 2012, 2012 Proceedings IEEE INFOCOM.

[9]  Srdjan Capkun,et al.  Secure neighborhood discovery: a fundamental element for mobile ad hoc networking , 2008, IEEE Communications Magazine.

[10]  Dina Katabi,et al.  Zigzag decoding: combating hidden terminals in wireless networks , 2008, SIGCOMM '08.

[11]  Marco Gruteser,et al.  Enhancing Location Privacy in Wireless LAN Through Disposable Interface Identifiers: A Quantitative Analysis , 2005, Mob. Networks Appl..

[12]  Dina Katabi,et al.  Interference alignment and cancellation , 2009, SIGCOMM '09.

[13]  Erik Tews,et al.  Breaking 104 Bit WEP in Less Than 60 Seconds , 2007, WISA.

[14]  Desmond Loh Chin Choong,et al.  Identifying unique devices through wireless fingerprinting , 2008, WiSec '08.

[15]  Sung-Ju Lee,et al.  STROBE: Actively securing wireless communications using Zero-Forcing Beamforming , 2012, 2012 Proceedings IEEE INFOCOM.

[16]  Sneha Kumar Kasera,et al.  Robust location distinction using temporal link signatures , 2007, MobiCom '07.

[17]  David Wetherall,et al.  Tool release: gathering 802.11n traces with channel state information , 2011, CCRV.

[18]  Mark Handley,et al.  The final nail in WEP's coffin , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[19]  Benjamin Bertka 802 . 11 w Security : DoS Attacks and Vulnerability Controls , 2012 .

[20]  Tom Minka,et al.  Spot Localization using PHY Layer Information , 2012 .

[21]  Martin Eian,et al.  The modeling and comparison of wireless network denial of service attacks , 2011, MobiHeld '11.

[22]  Daniel B. Faria,et al.  No Long-term Secrets : Location-based Security in Overprovisioned Wireless LANs , 2004 .

[23]  Thomas L. Marzetta,et al.  Argos: practical many-antenna base stations , 2012, Mobicom '12.

[24]  Moustafa Youssef,et al.  The Horus WLAN location determination system , 2005, MobiSys '05.

[25]  Jie Xiong,et al.  SecureAngle: improving wireless security using angle-of-arrival information , 2010, Hotnets-IX.

[26]  Marco Gruteser,et al.  Wireless device identification with radiometric signatures , 2008, MobiCom '08.

[27]  Jie Xiong,et al.  ArrayTrack: A Fine-Grained Indoor Location System , 2011, NSDI.

[28]  R. O. Schmidt,et al.  Multiple emitter location and signal Parameter estimation , 1986 .

[29]  Michel Barbeau,et al.  Detecting Impersonation Attacks in Future Wireless and Mobile Networks , 2005, MADNES.

[30]  Edward W. Knightly,et al.  Design and experimental evaluation of multi-user beamforming in wireless LANs , 2010, MobiCom.

[31]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[32]  Tom Minka,et al.  You are facing the Mona Lisa: spot localization using PHY layer information , 2012, MobiSys '12.

[33]  Sneha Kumar Kasera,et al.  Advancing wireless link signatures for location distinction , 2008, MobiCom '08.

[34]  Marco Gruteser,et al.  Detecting Identity Spoofs in 802 . 11 e Wireless Networks , 2009 .

[35]  Md. Sohail Ahmad,et al.  Short paper: security evaluation of IEEE 802.11w specification , 2011, WiSec '11.

[36]  R. Morgan Mobile radio communications. , 1982, Hospital engineering.

[37]  Marco Gruteser,et al.  Detecting Identity Spoofs in IEEE 802.11e Wireless Networks , 2009, GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference.

[38]  Srinivasan Seshan,et al.  802.11 user fingerprinting , 2007, MobiCom '07.